Published on June 20th, 2019 📆 | 3191 Views ⚑0
More than 645,000 Oregonians impacted by DHS data breach
Personal data of more than 645,000 clients of Oregon’s Department of Human Services was compromised during a January data breach, the agency disclosed Tuesday. This number is significantly higher than the agency’s original report in March that the number of people affected “exceeded 350,000.”
The breached client information potentially includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information and other information used in DHS programs, the agency said in a news release. The personal health information includes protected health information that is due special protection under federal health privacy laws. Not all of these information types were exposed for each person.
After discovering the breach in January, the department hired a team of 70 attorneys and paralegals to read and sort the 2 million susceptible emails, Jake Sunderland, the agency’s spokesperson said Tuesday. When the department announced the breach in March, the legal team still hadn’t finished their investigation, hence the much lower figure of 350,000 clients impacted, he said. The department finished the investigation earlier this week, he said.
The department said it will provide 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to individuals whose information was accessible. A private firm with expertise in identity theft, MyIDCare, will perform those services for affected clients, the news release said.
The data breach occurred as a result of a Jan. 8 email phishing attempt when nine DHS employees opened and clicked on a phishing link, thereby giving the sender access to their accounts. The compromised accounts were secured by Jan. 28, the agency said.
DHS then hired an outside firm, ID Experts, for data analysis, estimating that 2 million emails could have been made susceptible to the scam. “The data breach affected clients from all five of our divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab,” Sunderland said.
The investigation by IDExperts cost the agency $485,000 and the credit monitoring and other protections being offered to impacted clients will cost $1,054,000. The cost to hire the outside lawyers and paraprofessional was $30,000, Sunderland said.
The 645,000 people whose information was hijacked will be notified by the department starting Wednesday. Sunderland said DHS clients should watch their mail in the coming weeks, and if they receive a letter from the agency, take action on the enclosed instructions to access the data protection services immediately. For those who do receive letters, Sunderland emphasized, “We haven’t come across any evidence that the information exposed was viewed or used,” but the agency is still providing protection services in the event that it has.
“If you don’t get a letter, you’re fine,” Sunderland said.
— Casey Chaffin; firstname.lastname@example.org; @todaycaseysays